Archive for the 'Cryptography' Category

Security through obscurity, while helpful, is not sufficient to reliably safeguard your secrets from a determined attacker. That may be changing, however, as the linked article describes a new type of computer code obfuscation that can’t be reverse engineered. This would allow encryption programs and keys to be obfuscated, producing a new type of reliable encryption that (I’m assuming) can’t be broken by quantum computers.

This all goes back to a fundamental problem with protecting your proprietary computer code: the computer that it’s running on has to be able to understand it. In the early ’80s when personal computers were still fairly new, there were a bunch of anti-copying schemes for commercial software that tried to make it impossible to copy the floppy disks. Most of them were easily circumvented by skilled hackers. I remember a peripheral device for hackers that, when you pushed a button, would create a copy of whatever was in memory. So even if you couldn’t duplicate the disk, you could make a copy of the program from memory and save that to a non-protected disk. It was a losing battle, and most companies eventually abandoned these types of copy protection schemes.

But that’s all changed. The new method described in the linked article uses “indistinguishability obfuscation” to create computer code that’s too complex to be reverse-engineered, yet when run on a computer will produce the proper results. This is accomplished by including elements that appear random and add complexity but are carefully chosen to cancel themselves out.

As with the popular public key encryption, this method of obfuscation is tied to a difficult math problem. From the article: “This obfuscation scheme is unbreakable, the team showed, provided that a certain newfangled problem about lattices is as hard to solve as the team thinks it is.”

Obfuscation is not yet completely proven, but it shows great promise. And if it stands up after further research then we’ll probably see it go mainstream for at least cryptography and perhaps more.

Using custom software and a computer cluster of 25 graphics cards, password-cracking expert Jeremi Gosney has created a system capable of guessing 350 billion Windows passwords per second. From the article, it takes 5½ hours to “brute force every possible eight-character [Windows] password containing upper- and lower-case letters, digits, and symbols.” This development reinforces the message of this xkcd comic, that long passwords are much harder to crack than shorter but more complicated ones. Note also that an easy way to create long but memorable passwords is to use a passphrase.

So you’ve got something on your computer that you don’t want anyone else to see. To this effect, you’ve encrypted the hard drive. But then you’re put into a situation where an official requires that you unlock the computer so they can inspect the contents (this could happen at a border crossing, for example). That’s where Plausible Deniability comes into play. It’s a feature of TrueCrypt, where you have two hidden encrypted volumes on the same disk partition, and the password you enter determines which one you actually see. So you enter the decoy password, and it unlocks the decoy partition which contains no sensitive files. The other hidden partition appears to be empty space containing nothing but random data. Note that this probably won’t prevent a computer forensics expert from realizing that you have a hidden partition, but the casual observer will probably be fooled.

I’m amazed at the lengths that cryptography experts will go to in order to uncover weaknesses in a particular encryption scheme. (Chad’s News readers may recall this post where the hacker used acid and an electron microscope to reveal the circuitry of an encrypted microchip.) This time a vulnerability was found in OpenSSL, which is used by just about everyone. The researchers modified the power supply in such a way that it caused a one-bit error, and from that error they were able to obtain four bits of the 1024-bit secret key. They continued to produce the errors until they had enough data to piece together the entire key.

Taking note of the date of the linked article (March 2010), I’m guessing they’ve fixed this problem in OpenSSL. And while the method might work on other implementations, as well as on older hardware that still uses an unpatched version of OpenSSL, I don’t really see this as being an issue for the normal Chad’s News reader.

The linked page generates highly random passwords and delivers them in a secure manner. It’s probably a bit of overkill, but it’s better to trust Steve Gibson, a well-known and reliable source, than some unknown password generator you find via a Google search.

As regular Chad’s News readers already know, the current public-key encryption scheme will be useless once we build quantum computers with enough qubits. So scientists have been searching for an encryption method that’s less susceptible to quantum computing algorithms. Turns out that one such scheme was developed in 1978 by CalTech mathematician Robert McEliece. It’s safe from all currently-known quantum computing attacks. McEliece’s system is a bit unwieldy—the keys are very large—but expect to hear more about it unless a better quantum-safe method is found.

I have no idea how this is possible, and the math is beyond me, but an IBM employee named Craig Gentry has found a way to add and multiply encrypted data without first decrypting it. It’s called “fully homomorphic encryption.”

DNA can be used to make a one-way process suitable for encryption. I don’t completely understand the details, but the concept is interesting. I’m also thinking that DNA cryptography might be easier to implement than quantum cryptography.

It has been known for some time that the advent of quantum computers will completely destroy our existing public key encryption system, which depends on the difficulty of factoring a very large number. The appropriate quantum factoring algorithm already exists—we simply need to develop a functioning quantum computer on which to run it. Two research groups have moved the technology forward by creating very small proof-of-concept quantum computers that perform a modified version of the factoring algorithm. Their quantum computers are not scalable but do demonstrate that some of the core technology is working.

For those interested, the technical writeups are available here and here.

The main lesson from this is that you cannot encrypt data with today’s technology and expect it to be safe for more than a few decades at most (who knows—it could be years instead of decades). Also, I wonder if cryptologists are looking for something other than factoring to replace the one-way algorithm essential to public key encryption.

Researchers were recently able to factor a specially formed (but hard to factor) 1039-bit number in a mere 11 months. It shouldn’t be too long before those 1024-bit encryption keys can be broken in a realistic amount of time. My key is 4096 bits, which was specifically discouraged by the key generation software because it was considered to be massive overkill. Maybe it pays to be paranoid. Of course quantum computers, if they ever become a reality, will make existing encryption methods obsolete.